Check if your domain has a valid SPF record. Detects missing records, lookup count violations (the most common SPF failure), syntax errors, and misconfigurations that allow email spoofing.
This tool checks one area. The full scan covers SSL, open ports, HTTP headers, breach exposure, subdomain enumeration, compliance mapping, and more — free, no login required.
SPF (Sender Policy Framework) is a DNS-based email authentication protocol that specifies which mail servers are authorized to send email on behalf of your domain. It works by publishing a TXT record in your domain's DNS zone that lists approved sending IP addresses and hostnames. When a receiving mail server gets an email claiming to be from your domain, it performs a DNS lookup to retrieve your SPF record and checks whether the sending server's IP address is authorized. If the IP is not listed, the receiving server can reject the message, mark it as spam, or let it through depending on the qualifier specified in the record.
SPF was originally defined in RFC 4408 and later updated by RFC 7208. It is one of three core email authentication protocols alongside DMARC and DKIM. Together, these protocols form a defense-in-depth strategy that protects your domain from phishing, spoofing, and business email compromise (BEC) attacks.
An SPF record is a single DNS TXT record published at your domain's root. When a receiving server processes an inbound email, it extracts the envelope sender domain (the Return-Path or MAIL FROM address), queries DNS for a TXT record starting with v=spf1, and evaluates the mechanisms in order from left to right until one matches the sending server's IP address.
Every SPF record begins with the version tag v=spf1 followed by one or more mechanisms and a final all catch-all. Here is an example:
v=spf1 ip4:203.0.113.0/24 include:_spf.google.com include:sendgrid.net -all
ip4 / ip6 — authorize specific IP addresses or CIDR ranges. These do not count toward the DNS lookup limit.include — delegates authorization to another domain's SPF record. Each include triggers an additional DNS lookup.a — matches the domain's A or AAAA record IP addresses.mx — matches the IP addresses of the domain's MX (mail exchanger) records.redirect — replaces the current SPF evaluation with another domain's SPF record.all — the catch-all mechanism that matches everything not matched by previous mechanisms.Each mechanism can be prefixed with a qualifier that determines how the receiving server should handle a match:
+ (Pass) — the default qualifier. The sending server is authorized. Usually omitted because it is implied.- (Hard Fail) — the sending server is not authorized. Receivers should reject the message. Recommended for production domains.~ (Soft Fail) — the sending server is probably not authorized. Receivers should accept but flag the message. Common during initial rollout.? (Neutral) — the domain makes no assertion about the sending server. Effectively the same as having no SPF record for that mechanism.For maximum protection, use -all (hard fail) at the end of your SPF record. This tells receivers to reject any email from servers not explicitly listed in your record.
RFC 7208 imposes a hard limit of 10 DNS lookups per SPF evaluation. This limit exists to prevent denial-of-service attacks where a maliciously crafted SPF record could force a receiving server into an excessive number of DNS queries. Each of the following mechanisms counts as one lookup: include, a, mx, redirect, and exists. Nested includes within included records also count toward the total.
Exceeding 10 lookups causes a PermError, which many receiving servers treat as a complete SPF failure. This is the single most common SPF misconfiguration and particularly affects organizations that use multiple SaaS email services.
ip4 / ip6 mechanisms directly. These do not count toward the lookup limit.ip4 instead.If your domain has no SPF record at all, anyone can send email as your domain. Add a TXT record with at minimum v=spf1 include:your-email-provider -all to start protecting your domain. Use our full domain scan to identify all issues at once.
When your SPF record exceeds the 10-lookup limit, the entire SPF check fails with a PermError. Flatten your record by replacing include chains with direct IP addresses, or split sending across subdomains.
A soft fail (~all) tells receivers to accept but flag unauthorized messages. While useful during initial deployment, leaving ~all permanently provides weak protection. Switch to -all once you have confirmed all legitimate senders are included.
If you use services like SendGrid, Mailchimp, Google Workspace, or Microsoft 365 to send email, you must add their include mechanisms to your SPF record. Without them, emails sent through these services will fail SPF checks and may be rejected or sent to spam.
The SPF specification allows only one SPF TXT record per domain. If your DNS has two or more records starting with v=spf1, the result is a PermError. Merge all mechanisms into a single record.
Using +all or omitting a qualifier on the all mechanism allows any server on the internet to send email as your domain. This completely negates the purpose of SPF. Always end your record with -all.
SPF directly impacts whether your emails reach the inbox or land in spam. Major email providers including Gmail, Outlook, and Yahoo evaluate SPF results as part of their spam filtering algorithms. A passing SPF result builds sender reputation over time, improving overall deliverability rates. Conversely, SPF failures can trigger spam filtering even for legitimate messages.
However, SPF alone is not sufficient for reliable email delivery. SPF only validates the envelope sender (Return-Path), not the visible From header that users see. This gap allows sophisticated spoofing attacks where the From header shows your domain even though the envelope sender is different.
For complete protection, SPF should be deployed alongside DKIM (which cryptographically signs message content) and DMARC (which ties SPF and DKIM together with a domain-level policy). This three-layer authentication chain is now a baseline requirement for email deliverability. For a comprehensive guide on deploying all three, read our SPF, DKIM, and DMARC setup guide.
If you send email through any of these services, add the corresponding include mechanism to your SPF record:
| Service | Include Mechanism |
|---|---|
| Google Workspace | include:_spf.google.com |
| Microsoft 365 | include:spf.protection.outlook.com |
| SendGrid | include:sendgrid.net |
| Mailchimp | include:servers.mcsv.net |
| Amazon SES | include:amazonses.com |
| Salesforce | include:_spf.salesforce.com |
When you enter a domain above, our SPF record validator performs a comprehensive analysis of your SPF configuration:
For a broader view of your domain's email security posture, run a DNS security check or use our full infrastructure scan to evaluate SPF alongside DKIM, DMARC, DNSSEC, SSL/TLS, security headers, and more.
Without an SPF record, any mail server on the internet can send email pretending to be from your domain. Most modern email providers will flag or reject messages from domains without SPF, meaning your legitimate emails may land in spam folders. Additionally, attackers can freely spoof your domain in phishing campaigns, which damages your brand reputation and can lead to your domain being blacklisted.
No. The SPF specification (RFC 7208) requires exactly one SPF TXT record per domain. If a domain has two or more SPF records, the result is a PermError, and most receiving servers will treat the SPF check as a failure. If you need to authorize multiple services, combine them into a single record using multiple include mechanisms.
Find the SPF include mechanism provided by your email service (for example, include:sendgrid.net for SendGrid). Edit your existing SPF TXT record in your DNS management panel and add the new include before the all mechanism. For example: v=spf1 include:_spf.google.com include:sendgrid.net -all. Be careful not to exceed the 10 DNS lookup limit when adding new includes.
The -all qualifier (hard fail) tells receiving servers to reject any email from servers not listed in your SPF record. The ~all qualifier (soft fail) tells receivers that unauthorized servers should be treated with suspicion but not outright rejected. While ~all is more forgiving during initial setup, -all provides much stronger protection against spoofing and is recommended for production domains.
SPF record changes propagate according to the TTL (Time to Live) value set on your DNS TXT record. Most DNS providers default to a TTL between 300 seconds (5 minutes) and 3600 seconds (1 hour). In practice, most changes are visible within 1 to 4 hours. If you are planning a migration, lower your TTL in advance so changes take effect faster.